What is DORA? The Digital Operational Resilience Act

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector — known as the Digital Operational Resilience Act (DORA) — was published in the Official Journal of the EU on 27 December 2022, entered into force on 16 January 2023, and has applied since 17 January 2025. Unlike directives, DORA is a regulation: it is directly applicable in all EU member states without requiring national transposition legislation.

Before DORA, the EU financial sector's ICT risk landscape was governed by a patchwork of national rules, sectoral guidelines from the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), as well as non-binding recommendations. This fragmentation meant that a bank operating across multiple member states faced inconsistent requirements for ICT risk management, incident reporting, and third-party oversight.

The impetus for a harmonised regulation was accelerated by high-profile cyber incidents — WannaCry (2017), NotPetya (2017), and the SolarWinds supply chain compromise (2020) — which demonstrated the financial sector's deep dependency on ICT systems and the systemic risks posed by operational failures at ICT third-party providers. The European Commission's September 2020 Digital Finance Package included the DORA proposal alongside the Markets in Crypto-Assets Regulation (MiCA), recognising that digital operational resilience is a precondition for financial stability in an increasingly digitalised sector.

DORA is structured around five interconnected pillars, each addressed in a dedicated chapter of the Regulation. Together, they form a comprehensive framework for digital operational resilience that goes well beyond traditional IT security.

The first pillar — ICT Risk Management (Chapter II, Articles 5-16) — requires financial entities to establish and maintain a comprehensive ICT risk management framework encompassing identification, protection, detection, response, recovery, and learning. The management body bears ultimate responsibility for defining, approving, overseeing, and being accountable for the implementation of this framework.

The second pillar — ICT-Related Incident Management, Classification, and Reporting (Chapter III, Articles 17-23) — mandates that financial entities establish processes to detect, manage, log, classify, and report ICT-related incidents. Major incidents must be reported to competent authorities using standardised templates within strict timelines.

The third pillar — Digital Operational Resilience Testing (Chapter IV, Articles 24-27) — requires all financial entities to establish a testing programme proportionate to their size and risk profile. Entities identified by competent authorities as systemically important must additionally undergo threat-led penetration testing (TLPT) at least every three years.

The fourth pillar — ICT Third-Party Risk Management (Chapter V, Articles 28-44) — addresses the risks arising from financial entities' reliance on ICT third-party service providers. It introduces contractual requirements, a mandatory register of information on ICT third-party arrangements, and a novel direct oversight framework for critical ICT third-party providers.

The fifth pillar — Information-Sharing Arrangements (Chapter VI, Article 45) — enables financial entities to exchange cyber threat information and intelligence among themselves, subject to safeguards for data protection, competition law, and confidentiality of business information.

DORA applies to 21 categories of financial entities enumerated in Article 2(1)(a) through (u). This is one of the broadest scoping exercises in EU financial regulation, capturing entities across banking, insurance, capital markets, payments, and crypto-assets.

The in-scope entity types include: (a) credit institutions, (b) payment institutions (including those exempted under PSD2), (c) account information service providers, (d) electronic money institutions (including those exempted under EMD2), (e) investment firms, (f) crypto-asset service providers authorised under MiCA and issuers of asset-referenced tokens, (g) central securities depositories, (h) central counterparties, (i) trading venues, (j) trade repositories, (k) managers of alternative investment funds (AIFMs), (l) management companies of UCITS, (m) data reporting service providers, (n) insurance and reinsurance undertakings, (o) insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries, (p) institutions for occupational retirement provision (IORPs), (q) credit rating agencies, (r) administrators of critical benchmarks, (s) crowdfunding service providers, (t) securitisation repositories, and (u) ICT third-party service providers.

Notably, ICT third-party service providers — including cloud computing providers, data centre operators, and managed service providers — are brought within DORA's perimeter not as directly regulated financial entities but through the contractual requirements imposed on financial entities (Articles 28-30) and, for those designated as critical, through the direct oversight framework (Articles 31-44). This dual mechanism ensures comprehensive coverage of the financial sector's ICT supply chain.

Article 1(2) of DORA establishes a critical legal relationship: with regard to financial entities, DORA constitutes a lex specialis to the NIS2 Directive (Directive (EU) 2022/2555). This means that where DORA imposes ICT risk management or incident reporting requirements that are equivalent to or more specific than those in NIS2, DORA prevails.

The lex specialis principle operates at the level of individual obligations, not as a blanket exemption. Financial entities that are also classified as essential or important entities under NIS2 (which captures banking and financial market infrastructures as sectors of high criticality in Annex I) must assess each NIS2 obligation against the corresponding DORA provision. Where DORA provides equivalent coverage — as it does for ICT risk management (DORA Chapter II vs NIS2 Art. 21), incident reporting (DORA Chapter III vs NIS2 Art. 23), and operational resilience testing (DORA Chapter IV) — the DORA requirements take precedence.

However, NIS2 may still apply in areas where DORA does not provide equivalent specificity. For instance, NIS2's supply chain security provisions under Article 21(2)(d) extend beyond ICT third parties to cover broader supply chain risks. Similarly, NIS2's supervisory cooperation mechanisms through the Cooperation Group and CSIRTs Network apply independently of DORA's own supervisory architecture. Financial entities should conduct a detailed obligation-by-obligation mapping to identify any residual NIS2 requirements not fully addressed by DORA compliance.

DORA embeds the principle of proportionality throughout its requirements. Article 4 establishes that financial entities shall implement the rules laid down in Chapter II (ICT risk management) in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale, and complexity of their services, activities, and operations.

For microenterprises — defined under Commission Recommendation 2003/361/EC as entities with fewer than 10 employees and annual turnover or balance sheet total not exceeding EUR 2 million — Article 16 provides a simplified ICT risk management framework. Microenterprises are not required to establish the full governance arrangements of Article 5(4), may adopt a simplified ICT risk management framework proportionate to their needs, and are exempt from performing advanced digital operational resilience testing under Chapter IV.

However, proportionality is not an opt-out mechanism. Even microenterprises must comply with core obligations including: ICT-related incident reporting under Chapter III (Articles 17-23), maintaining the register of information on ICT third-party arrangements under Article 28(3), and implementing basic ICT risk management measures. The principle of proportionality adjusts the depth and sophistication of compliance efforts, not the obligation to comply. National competent authorities retain the power to assess whether an entity's application of proportionality is appropriate given its actual risk profile.